We should ship squirrelmail with an _easy_ way for admins to make it SSL-only.
In fact, we should probably even make that the default.
That means either shipping the secure_login plugin, or appropriate magic in the
httpd config file.

Context: I set up webmail for some people on one of my machines. To my horror, I
realised a few days later that I was actually letting them log in over
unencrypted connections!
I fixed it by fetching and installing the secure_login plugin for Squirrelmail
(http://www.squirrelmail.org/plugin_view.php?id=61), which silently redirects
them to https whenever they come in with an http URL -- there may have been
better solutions.
There are two problems -- first the fact that it was allowing insecure logins by
default, and then the fact that it wasn't immediately obvious how to fix it (and
my solution involved downloading additional plugins).

We can't be doing this by default, because https requires manual configuration,
and people upgrading the squirrelmail package will suddenly have broken
configurations where squirrelmail is redirecting them to something that doesn't
work out of the box.
We can't protect everyone from themselves. I think a bigger problem is that it
was a mistake for us to ship squirrelmail from the beginning...

Not doing it by default is perhaps acceptable -- we ought to have a clear way
for people to do it if they want to though, without having to download extra
plugins.
It's not as if setting up https is _that_ hard.

I personally use this in my httpd.conf. Would you be satisfied if I shipped
this as an example comment with some description of how to use it within the
squirrelmail package?
RedirectMatch ^/webmail[/](.*)$ https://togami.com/webmail/$1
Only complication is that I am uncertain where exactly this line needs to go in
httpd.conf to be effective. I think I may add this as a %doc called something
like SQUIRRELMAIL-FEDORA-SECURE-README or something.
This I think is better than shipping a plugin in our package, which would still
need to be manually enabled somehow.

Better if you can use something which automatically replaces the 'togami.com'
with an appropriate hostname -- but yeah, that would be sane enough.
I could never get that to work for _only_ http URLs and not _also_ do it for
https URLs (recursively), which is why I resorted to the secure_login plugin.
But if you give a decent example, that would be fine.